Controlling Information

Systems: Introduction to

Internal Control

2

Why do we need controls?

• (1) to provide reasonable assurance that the goals of each business process are being achieved

• (2) to mitigate the risk that the enterprise will be exposed to some type of harm, danger, or loss (including loss caused by fraud or other intentional and unintentional acts)

• (3) to provide reasonable assurance that the company is in compliance with applicable legal and regulatory obligations.

3

Common Business Exposures1. Erroneous recordkeeping2. Unacceptable accounting3. Business interruption4. Erroneous management decisions5. Fraud and embezzlement6. Statutory sanctions7. Excessive costs8. Loss or destruction of resources9. Competitive disadvantage

4

Five Interrelated Components of Internal Control

1. Control environment- tone at the top2. Risk assessment - identification/analysis of risks3. Control activities - policies and procedures4. Information & communication - processing of

info in a form and time frame to enable people to do their jobs

5. Monitoring - process that assess quality of internal control over time

5

Gelinas, Sutton & Hunton’s Working Definition of IC: Key Points

• A system of internal control is not an end in itself. Rather, it is a means to an end—the end of attaining process objectives

• Internal control itself is a system. Therefore, like any system it must – (1) have clearly defined goals and – (2) consist of interrelated components that act in concert to achieve those

goals.– We can also say that internal control is a process

• Establishing a viable internal control system is management’s responsibility.

• The strength of any internal control system is largely a function of the people who operate it.

• Internal control cannot be expected to provide absolute, 100% assurance that the organization will reach its objectives. Rather, the operative phrase is that it should provide reasonable assurance

• Internal control is not free; controls should be built in and cost effective

6

Gelinas, Sutton & Hunton’s Working Definition of IC

• …a system of integrated elements - people, structure, processes, and procedures - acting in concert to provide reasonable assurance that an organization achieves business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:

7

(Text definition of IC cont.)

• Reflect management’s careful assessment of risks.

• Be based on management’s evaluation of costs versus benefits.

• Be built on management’s strong sense of business ethics and personal integrity.

8

General Control Model: Figure 7.1

9

Business Process Control Goals

• Control Goals - ends to be obtained– Control goals of operations processes– Control goals of information processes– See Table 7.1 Control Goals (page 244)

10

Control Goals of the Operations Process

• Ensure effectiveness of operations• Ensure efficient employment of

resources• Ensure security of resources

11

Control Goals of Operations Process• Ensure effectiveness of operations

– A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes

– Ex. Deposit cash receipts on the day received

• Ensure efficient employment of resources– A measure of the productivity of the resources applied to achieve a

set of goals– Ex. What is the cost of people, computers, and other resources to

deposit cash on the day received

• Ensure security of resources– Protecting an organization’s resources from loss, destruction,

disclosure, copying, sale, or other misuse– Ex. Are cash and information resources available when required?– Are they put to authorized use?

12

Control Goals of the Information Process

• For business event inputs, ensure–Input validity–Input completeness–Input accuracy

• For master data, ensure–update completeness–update accuracy

13

Control Goals of Information Process• Input validity

– Input data approved and represent actual economic events and objects– Ex. Are all cash receipts input into the process and supported by

customer payments• Input completeness

– Requires that all valid events or objects be captured and entered into the system

– Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process? Input accuracy (correct data entered correctly)

• Input Accuracy– Requires that events be correctly captured and entered into the system– Ex. Is correct payment amount and customer number on the RA? – Ex. Is the correct payment amount and customer number keyed into

the system?

14

Control Goals of Information Process

• Update completeness– Requires all events entered into the computer are reflected in their

respective master data– Ex. Are all input cash receipts recorded in the AR master data?

• Update accuracy– Requires that data entered into a computer are reflected correctly in

their respective master data– Ex. Are all input cash receipts correctly recorded in the AR master

data?

15

Business Process Control Plans• Business Process Control Plans - reflect information

processing policies and procedures that assist in accomplishing control goals– The Control Environment The fact that the control environment

appears at the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.

– Pervasive control plans also relate to a multitude of goals and processes

• Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate.

• They are broad in scope and apply equally to all business processes, hence they pervade all systems.

– Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.

16

17

Other Classifications of Control Plans• Preventive Controls: Issue is prevented

from occurring – cash receipts are immediately deposited to avoid loss

• Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation

• Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data

18

The Control Matrix

• The control matrix is a tool designed to assist you in analyzing a systems flowchart and related narrative.

• It establishes the criteria to be used in evaluating the controls in a particular business process.

19

Sample Control Matrix

20

Steps in Preparing Control MatrixI. Specifying control goals represents

the first step in building a control matrix. The goals are listed across the top row of the matrix.

1. Identify the operations process goalsa. Effectiveness goalsb. Efficiency goalsc. Security goals

2. Identify Information Process Goalsa. Input Goalsb. Update Goals

21

Operations Process Goals: Effectiveness Goals

i. Ensure the successful accomplishment of the goals set forth for the business process

ii. Different processes have different effectiveness goals. For Causeway’s cash receipts process we include only two examples here:

– Goal A—to accelerate cash flow by promptly depositing cash receipts.– Goal B—to ensure compliance with compensating balance agreements

with the depository bank.– Other possible goals of a cash receipts would be shown as goals C, D,

and so forth, and described at the bottom of the matrix (in the matrix legend).

iii. With respect to other business processes, such as production, we might be concerned with effectiveness goals related to the following:

– Goal A—to maintain customer satisfaction by finishing production orders on time.

– Goal B—to increase market share by ensuring the highest quality of finished goods.

22

Operations Process Goals: Efficiency Goals

i. The purpose of efficiency control goals of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner

ii. In parentheses, notice that we have listed two resources of the cash receipts process for which efficiency is applicable—people and computers.

• In fact, people and computers would always be considered in the efficiency assessments related to accounting information systems.

iii. In other business processes, such as receiving goods and supplies, we might also be concerned with the productive use of equipment such as trucks, forklifts, and hand-held scanners.

23

Operations Process Goals: Security Goals

i. The purpose of security control goals of the operations process is to ensure that entity resources are protected from loss, destruction, disclosure, copying, sale, or other misuse.

ii. In parentheses, we have included two resources of the cash receipts process over which security must be ensured—cash and information (accounts receivable master data). • With any business process, we are concerned with information that is

added, changed, or deleted as a result of executing the process, as well as assets that are brought into or taken out of the organization as a result of the process, such as cash, inventory, and fixed assets.

iii. With regard to other business processes, such as shipping, we might include customer master data and shipping data. • Note: The security over hard assets used to execute business

processes, such as computer equipment, trucks, trailers, and loading docks, is handled through pervasive controls (discussed in Chapter 7).

24

Information Process Goals: Input Goalsi. With respect to all business process data entering the

system, the purpose of input goals of the information process is to ensure:

• input validity (IV)• input completeness (IC) and • input accuracy (IA).

ii. With the cash receipts process, we are concerned with input validity, accuracy, and completeness over cash receipts

• Here, they are in the form of remittance advices• Notice that we specifically name the input data of concern in

parentheses.iii. With respect to other business processes, such as hiring

employees, we would be concerned with other inputs, such as employee, payroll, and benefit plan data.

25

Information Process Goals: Update Goalsi. Update goals must consider all related information that will

be affected by the input data, including master file data and ledger data. For the business process input data, the purpose of update control goals of the information process is to ensure:• The update completeness (UC) and • Update accuracy (UA)

ii. With regard to the cash receipts information process, we recognize that the accounts receivable data will be updated by cash receipts • Cash received reflects the debit and customer account reflects the

credit). • Notice that we list accounts receivable master data in the control

matrix.iii. Other business processes, such as cash payments, would

involve different update concerns, such as vendor, payroll, or accounts payable master data.

26

Steps in Preparing the Control Matrix

II. Recommending Control Plans1. Annotating “Present” Control Plans2. Evaluating “Present” Control Plans3. Identifying and Evaluating “Missing”

Control Plans

27

Causeway Annotated Systems Flowchart

28

Annotating Present Control Plans

• Start on the upper left-hand column of the systems flowchart and spot the first manual keying symbol, manual process symbol, or computer process symbol (process related symbols)

• Then, follow the sequential logic of the systems flowchart and identify all of the process-related symbols.

• Each process-related symbol reflects an internal control plan which is already present.

• It is important to recognize that while a control plan may be present, it may not be working as effectively as it should; thus, you might recommend ways to strengthen or augment existing control plans

29

Annotate the Process Flow Chart

• Review the flowchart and determine whether a control is present (P-) or missing (M-)

• Annotate the flowchart– If controls are present, mark P-– If controls are absent, mark M-

30

Annotating Present Control Plans

a. Reviewing the Causeway systems flowchart (Figure 9.2), you will find that the first process-related symbol is entitled “Endorse checks.” – Because this process appears on the flowchart, this

control plan already exists, meaning, it is present as opposed to missing.

– Accordingly, place a P- beside the process, indicating that is it present, and a 1 beside the P- reflecting the first present control plan on the flowchart.

– As a result, you should have annotated the systems flowchart with a P-1.

31

Annotating Present Control Plansb. Continue reviewing the systems

flowchart by following its sequential logic, annotating the flowchart with P-2, P-3, and so on until you have accounted for all present control plans.

- Notice on the Flowchart (Figure 9-2), that eight control plans (P-1–P-8) are already present at Causeway.

32

Evaluating “Present” Control Plans:• Write number (P-1, P-2, P-3 through P-n) and name of

each control plan in the left-hand column of the control matrix.

• Then, starting with P-1, look across the row and determine which control goals the plan addresses and place a P-1 in each cell of the matrix for which P-1 is applicable.

• It is possible that a given control plan can attend to more than one control goal.

• Continue this procedure for each of the present control plans.

• Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted control goal.

33

Identifying and Evaluating “Missing” Control Plans:

• The next step in recommending control plans is to determine if additional controls are needed to address missing control goal areas, strengthen present control plans, or both.

34

Identifying and Evaluating “Missing” Control Plans:

• Examining the controls matrix: The first place to start is to look at the control matrix and see if there are any control goals (operations or information) for which no present control plan is addressing.

• If so, you need to do the following:i. In the left-hand column of the matrix, number the first missing control plan

as M-1 and label or title the plan.ii. Across the matrix row, place M-1 in each cell for which the missing control

is designed.iii. In the legend of the matrix, explain how the missing control will address

each noted control goal.iv. On the systems flowchart, annotate M-1 where the control should be

inserted.v. If there are still control goals for which no control plan has addressed,

develop another plan (M-2) and repeat the four previous steps (i through iv). Continue this procedure until each control goal on the matrix is addressed by at least one control plan.

• With regard to Causeway, we have noted two missing control plans in the sample control matrix for the Cash Receipts Business Process

• M-1 and M-2, although more might exist

35

Evaluating the systems flowchart: • Even though all of the control goals on the matrix are now

addressed, closely review the systems flowchart one more time.

• Look for areas where further controls are needed. • Just because all control goals on the matrix have one or

more associated control plans, we might have to to add more control plans or strengthen existing plans to reduce residual risk to an acceptable level in certain areas.

• It takes training and experience to spot risks and weaknesses of this nature

• In Chapters 10 through 16 you will learn more about how to make such critical internal control assessments.

36

Sample Control Plans for Data Input

1. Processing input data without access to master data

2. Processing input data with access to master data

3. Batch input

37

Processing input data without access to master data

• Because systems without master data require manual keying of data (an error prone process), special controls are necessary to ensure control goals are met– Entry w/o master data implies that a database

does not exist or is unavailable to verify data– This makes controls over entry of data more

important

38

Data Entry

Without Master Data

39

Available Control Plans for Data Input

• Note that the first process-related symbol appears as “key document” in the first column (data entry clerk 1).– P-1: Document Design—source document is

designed to easily complete and key data– P-2: Written Approvals—signature or initials

indicating approval of event processing– P-3: Preformatted Screens—defines acceptable

format for each data field (e.g., 9 numeric characters for SSN)

– P-4: Online Prompting—requests user input or asks questions, e.g., message box

40

Available Control Plans for Data Input, Cont’d.

• The next process-related symbol (edit input) appears in the second column (data entry devices).

• P-5: Programmed Edit Checks – Automatically performed by data entry programs upon

entry of data• Reasonableness checks (limit checks)—tests input for values

within predetermined limits• Document/record hash totals—compares computer total to

manually calculated total• Mathematical accuracy checks—compare calculations

performed manually to computer calculations, e.g., compare invoice total to manually entered to computer calculated total

• Check Digit verification – a functionally dependent extra digit is appended to a number; if miskeying occurs, a check digit mismatch occurs and the system rejects the input

41

Available Control Plans for Data Input• P-6: Procedures for rejected input—rejected inputs

are corrected and resubmitted for processing• P-7: Keying corrections—clerk corrects inputs• P-8: Interactive feedback checks—computer

informs clerk that input has been accepted/rejected• P-9: Record input—record is recorded in

transaction data rather than being re-keyed at another time

• M-1: Key verification—data is keyed by two different individuals then compared by the computer

42

Control Matrix w/o

Master Data

43

Control Plans for Data Entry With Master Data

• When standing (master) data is present, data entered can be verified by existing data providing additional data-entry controls– Data entry with master data implies the presence of an existing

database populated with data– Data in the database is used to populate entry forms or is compared

to data entered• If we have available the actual customer master data, we

can use the customer number to call up the stored customer master data and determine if the customer number has been entered correctly, if the customer exists, the customer’s correct address, and so forth.

• In the next section we describe the additional controls available to us when master data is available during data entry.

44

Systems Flowchart: Data Entry With Master Data

45

Control Matrix Data Entry with

Master Data

46

Recommended Control Plans with Master Data

• P-1: Enter data close to originating source– Input data is entered directly and immediately it reduces

input costs, inputs are less likely to be lost, errors are less likely and can more easily corrected

– Online transaction entry (OLTE), online real-time processing (OLRT), and online transaction processing (OLTP) are all examples of this processing strategy.

• P-2: Digital signatures– Authenticate that the sender of the message has the

authority to send it and detects messages that have been altered in transit

– an application of public key cryptography involving the use of a private encryption key to “sign” the data transmitted

47

Recommended Control Plans with Master Data

• P-3: Populate input with master data– User enters an entity’s ID code and the system then

retrieves certain data about that entity from existing master data.

– User might be prompted to enter the customer ID (code). – By accessing the customer master data, the system

automatically provides data such as the customer’s name and address, the salesperson’s name, and the sales terms.

– This reduces the number of keystrokes required, making data entry quicker, more accurate, and more efficient.

– Therefore, the system automatically populates input fields with existing data

48

Recommended Control Plans with Master Data• P-4: Compare input data with master data—the system compares inputs with

standing (master) data to ensure their accuracy and validity– Input/master data dependency checks

• These edits test whether the contents of two or more data elements or fields on an event description bear the correct logical relationship.

• For example, input sales events can be tested to determine whether the salesperson works in the customer’s territory.

• If these two items don’t match, there is some evidence that the customer number or the salesperson identification was input erroneously.

– Input/master data validity and accuracy checks• These edits test whether master• data supports the validity and accuracy of the input. For example, this

edit• might prevent the input of a shipment when no record of a

corresponding customer• order exists. If no match is made, we may have input some data

incorrectly,• or the shipment might simply be invalid. We might also compare

elements• within the input and master data.

49

Recommended Control Plans with Master Data

• P-5: Procedures for rejected inputs– After processing the input, the user compares the input with the master data

to determine whether the input either is acceptable or contains errors, and that any errors are corrected and resubmitted

• P-6: Key Corrections – The clerk completes the procedures for rejected inputs by keying the

corrections into the computer thus ensuring that the input is accurate.• P-7: Record Input

– Once all necessary corrections are made, the user accepts the input.– This action triggers the computer to simultaneously record the input in the

transaction file and inform the user that the input data has been accepted.• P-8: Interactive Feedback Checks

– These interactive programmed features inform the user that the input has been accepted and recorded or rejected for processing.